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DETAILED ACTION 

1. Claims 1-39 is pending. 



Claim Rejections - 35 USC §102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form 
the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 
122(b), by another filed in the United States before the invention by the applicant for patent 
or (2) a patent granted on an application for patent by another filed in the United States 
before the invention by the applicant for patent, except that an international application 
filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application 
designated the United States and was published under Article 21(2) of such treaty in the 
English language. 

2. Claims 1-39 are rejected under 35 U.S.C. 102(e) as being anticipated 
by Yavatkar, et al. (US 6,735,702). 



As per claim 1: 

discloses gateway device disposed between a data center and a network for 
thwarting denial of service attacks on the data center, the gateway device 
comprises: a computing device comprising: 

a monitoring process that monitors network traffic through the gateway; 

[col.2, lines 53-55 and col.7, lines 43-44] 

a communication process that can communicate statistics collected 
[col.2, lines 4-5 and col. 10, lines 15-16] in the gateway from the monitoring 



Application/ Control Number: 09/93 1,344 Page 3 

Art Unit: 2135 

process with a control center and that can receive queries or instructions from 
the control center; [col.3, lines 25-29 and col. 11, lines 51-55] 

and a filtering process to allow filters to be inserted to filter out packets 
that the gateway deems to be part of an attack, [col. 13, lines 53-62 and 
col.20, lines 20-21] 

As per claim 2: See col.2, lines 57-59; discussing the communication 
process couples to a dedicated link to communicate with the control center 
over a hardened network. 

As per claim 3: See col.7, lines 43-45; discussing the monitoring process in 
the gateway samples network packet flow in the network. 

As per claim 4: See col.7, lines 43-44; discussing the gateway is adaptable 
to be physically deployed in line in the network. 

As per claim 5: See col. 14, lines 26-28 and col. 15, lines 38-39; 

discussing the gateway is adaptable to dynamically install filters on nearby 
routers. 

As per claim 6: See col. 13, lines 4-29 and col. 15, lines 30-33; discussing 
the monitoring process detects IP traffic and determines levels of unusual 
amounts of IP fragmentation or fragmented IP packets with bad or overlapping 
fragment offsets. 

As per claim 7: See col.13, lines 44-53 and col. 15, lines 19-21; 

discussing the monitoring process detects Internet Protocol (IP) traffic and 
determines levels of IP packets that have bad source addresses or Internet 
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Control Message Protocol (ICMP) packets with broadcast destination addresses. 
As per claim 8: See col. 13, lines 4-29 and col. 15, lines 30-33; discussing 
monitoring process detects Internet Protocol (IP) traffic and determines levels of 
Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packets 
to unused ports. 

As per claim 9: See col. 15, lines 30-33; discussing monitoring process 
detects IP traffic and determines levels of TCP segments advertising unusually 
small window sizes, which may indicate a load on the data center, or TCP ACK 
packets not belonging to a known connection. 

As per claim 10: See col. 1, lines 27-31; discussing monitoring process 
detects sustained rate higher than plausible for a human user over a persistent 
HTTP connection. 

As per claim 11: See col. 2, lines 53-55; discussing monitoring process 
maintains statistical summary information of traffic over different periods of 
time and at different levels of detail. 

As per claim 12: See col.2, lines 4-5 and col.3, lines 30-32; discussing 
monitoring process maintains statistics on parameters including source and 
destination host or network addresses, protocols, types of packets, number of 
open connections or of packets sent in either direction. 
As per claim 13: See col. 14, lines 54-58 and col.15, lines 26-27; 
discussing monitoring process has configurable thresholds and issues a 
warning when one of the measured parameters exceeds the corresponding 
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threshold. 

As per claim 14: See col.2, lines 4-5; discussing monitoring process logs 
packets. 

As per claim 15: See col. 5, lines 13-20 and coL13, lines 61-63; discussing 
monitoring process logs specific packets identified as part of an attack to 
enable an administrator to identify important properties of the attack. 
As per claim 16: 



disposing a gateway device between the victim site and a network; [col.7, 
lines 43-48] 

monitoring network traffic through the gateway and measuring 
heuristics of the network traffic; [col.2, lines 53-55 and col. 10, lines 16-62] 

communicating statistics collected in the gateway to a control center; 
[col.2, lines 4-5 and col. 3, lines 30-38] 

and filtering out packets that the gateway or control center deems to be 
part of an attack, [col. 13, lines 53-62 and col. 20, lines 20-21] 
As per claim 17: See col.2, lines 57-59; discussing communicating 

occurs over a dedicated link to the control center via a hardened network. 
As per claim 18: See col.2, lines 53-55 and col.7, lines 43-45; 

discussing monitoring samples network packet flow in the network. 
As per claim 19: See col.7, lines 43-44; discussing the gateway is 

physically deployed in line in the network. 




method of protecting a victim site during a denial of service attack, comprises: 
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As per claim 20: See col. 14, lines 26-28 and col. 15, lines 38-39; 

discussing filtering further comprises: dynamically installing filters on nearby 
routers via an out of band connection. 

As per claim 21: See col. 13, lines 4-29 and col. 15, lines 30-33; 

discussing monitoring further comprises: detecting IP traffic and determining 
levels of unusual amounts of IP fragmentation or fragmented IP packets with 
bad or overlapping fragment offsets. 

As per claim 22: See col. 13, lines 44-53 and col. 15, lines 19-21; 

discussing monitoring further comprises: detecting Internet Protocol (IP) traffic 
and determining levels of IP packets that have bad source addresses or Internet 
Control Message Protocol (ICMP) packets with broadcast destination addresses. 
As per claim 23: See col. 13, lines 4-29 and col. 15, lines 30-33; 

discussing monitoring further comprises: detecting Internet Protocol (IP) traffic 
and determining levels of Transport Control Protocol (TCP) or User Datagram 
Protocol UDP packets to unused ports. 

As per claim 24: See col. 15, lines 30-33; discussing monitoring 

further comprises: detecting IP traffic and determines levels of TCP segments 
advertising unusually small window sizes, which may indicate a load on the 
data center, or TCP ACK packets not belonging to a known connection. 
As per claim 25: See col. 1, lines 27-31; discussing monitoring further 

comprises: detecting a sustained rate of reload requests that is higher than 
plausible for a human user over a persistent HTTP connection. 
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As per claim 26: 



See col.2, lines 4-5 and col.3, lines 30-32; 



discussing monitoring further comprises: logging statistics on parameters 
including source and destination host or network addresses, protocols, types of 
packets, number of open connections or of packets sent in either direction. 



discussing monitoring further comprises: issuing a warning to the control 
center when one of the measured parameters exceeds a corresponding 
configurable threshold. 



discussing monitoring further comprises: logging specific packets identified as 
part of an attack to enable an administrator to identify important properties of 
the attack. 
As per claim 29: 

computer program product residing on a computer readable medium for 
protecting a victim site during a denial of service attack, comprises instructions 
for causing a computer device coupled at an entry to the site to: 

monitor network traffic sent to the victim site and measuring heuristics 
of the network traffic; [col.2, lines 53-55 and col. 10, lines 16-62] 

communicate statistics collected in the computer device to a control 
center; and [col. 2, lines 4-5 and col.3, lines 30-38] 

filter out packets that the device or control center deems to be part of an 
attack, [col. 13, lines 53-62 and col.20, lines 20-21] 



As per claim 27: 



See col. 14, lines 54-58 and col. 15, lines 26-27; 



As per claim 28: 



See col. 5, lines 13-20 and col. 13, lines 61-63; 
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As per claim 30: See coL2, lines 53-55; discussing sample network 

traffic flow. 

As per claim 31: See col. 14, lines 26-28 and col. 15, lines 38-39; 

discussing instructions to filter further comprise instructions to: dynamically 

install filters on nearby routers via an out of band connection. 

As per claim 32: See col. 13, lines 4-29 and col. 15, lines 30-33; 

discussing instructions to monitor further comprise instructions to: detect IP 

traffic; and determine levels of unusual amounts of IP fragmentation or 

fragmented IP packets with bad or overlapping fragment offsets. 

As per claim 33: See col. 13, lines 44-53 and col. 15, lines 19-21; 

discussing instructions to monitor further comprise instructions to: detect 

Internet Protocol (IP) traffic; and determine levels of IP packets that have bad 

source addresses or Internet Control Message Protocol (ICMP) packets with 

broadcast destination addresses. 

As per claim 34: See col. 13, lines 4-29 and col. 15, lines 30-33; 

discussing instructions to monitor further comprise instructions to: detect 
Internet Protocol (IP) traffic; and determine levels of Transport Control Protocol 
(TCP) or User Datagram Protocol UDP packets to unused ports. 
As per claim 35: See col. 15, lines 30-33; discussing instructions to 

monitor further comprises instructions to: detect IP traffic; and determine 
levels of TCP segments advertising unusually small window sizes, which may 
indicate a load on the data center, or TCP ACK packets not belonging to a 
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known connection. 

As per claim 36: See col.l, lines 27-31; discussing instructions to 

monitor further comprises instructions to: detect a sustained rate of reload 
requests that is higher than plausible for a human user over a persistent HTTP 
connection. 

As per claim 37: See col. 2, lines 4-5 and col. 3, lines 30-32; 

discussing instructions to monitor further comprises instructions to: log 
statistics on parameters including source and destination host or network 
addresses, protocols, types of packets, number of open connections or of 
packets sent in either direction. 

As per claim 38: See col. 14, lines 54-58 and col. 15, lines 26-27; 

discussing instructions to monitor further comprises instructions to: issue a 
warning to the control center when one of the measured parameters exceeds a 
corresponding configurable threshold. 

As per claim 39: See col.7, lines 43-55; discussing instructions to 

cause the processor to receive communications from a control center to deliver 
data pertaining to the types of traffic passing through the gateway. 
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Conclusion 

Any inquiry concerning this communication or earlier communications 
from the examiner should be directed to LEYNNA T. HA whose telephone 
number is (571) 272-3851. The examiner can normally be reached on Monday 
- Thursday (7:00 - 5:00PM). 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Kim Vu can be reached on (571) 272-3859. The fax 
phone number for the organization where this application or proceeding is 
assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see 
http://pair-direct.uspto.gov. Should you have questions on access to the 
Private PAIR system, contact the Electronic Business Center (EBC) at 866-217- 
9197 (toll-free). / 




